- From: Jim Gettys <jg@pa.dec.com>
- Date: Thu, 8 Jan 1998 09:12:34 -0800
- To: "David W. Morris" <dwm@xpasc.com>
- Cc: Jim Gettys <jg@pa.dec.com>, Paul Leach <paulle@microsoft.com>, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, Scott Lawrence <lawrence@agranat.com>, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
> From: "David W. Morris" <dwm@xpasc.com> > Date: Wed, 7 Jan 1998 18:29:38 -0800 (PST) > To: Jim Gettys <jg@pa.dec.com> > Cc: Paul Leach <paulle@microsoft.com>, > http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, > Scott Lawrence <lawrence@agranat.com>, http-wg@cuckoo.hpl.hp.com > Subject: RE: Digest mess > Material elided... > > Of course, once we have hidden the password using digest, there is > still no way to update the password but one could argue that > it is harder to sniff the infrequent update than the repeated > authentication credential. We have a somewhat secure mechanism widely available today for updating the password: that is SSL. You can use SSL to your server or (given Paul's scheme, if he can enlighten us as he catches up on his mail after the holiday) your KDC and update your password. (Not to mention telephone, PGP encrypted mail, and other mostly secure methods). So the password update problem can be done pretty well without signficant problems, given what we already have deployed. And some folks (e.g. Lotus Notes) already have KDC's and ways of setting passwords securely. Note that SSL usage has to be done with a bit of care, if you want to avoid "partially known plaintext" attacks on the data going over the connection to the backend server speaking SSL, when doing the password updates. This isn't a complete panacea, as many organizations do not allow SSL through thier firewalls (for good reasons), so in the longer term, we'll need another protocol, me thinks, just for talking to servers and/or KDC's. > > In any case, I believe it is critical to protect the authentication > credentials not because we are securing the web transaction BUT for > the reasons Jim has noted ... to prevent the use of web passwords > grabbed from the net from being used to access unrelated services. > > Take on the data verification as a second problem. Perhaps do > something about the password update issue as well... Perhaps > even a variation of shttp to protect and authenticate the payload > with lower implementation costs than SSL. > Getting Digest done sooner rather than later will greatly reduce the long term interoperability problems we'll have to get passwords in the clear off the Internet, and allow us all to focus on the password setting problem with more breathing room... So I'm all for message integrity, but if I have to choose one or the other (password safety), I'd settle for password safety. The discussion I'm seeing though, makes me think we may be able to have both... - Jim -- Jim Gettys Industry Standards and Consortia Digital Equipment Corporation Visting Scientist, World Wide Web Consortium, M.I.T. http://www.w3.org/People/Gettys/ jg@w3.org, jg@pa.dec.com
Received on Thursday, 8 January 1998 09:19:51 UTC